<!DOCTYPE HTML>

<html lang="en">
<head>

<title>ContentSecurityPolicyHeaderWriter (spring-security-docs 5.6.3 API)</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style">
<link rel="stylesheet" type="text/css" href="../../../../../../jquery/jquery-ui.css" title="Style">
<script type="text/javascript" src="../../../../../../script.js"></script>
<script type="text/javascript" src="../../../../../../jquery/jszip/dist/jszip.min.js"></script>
<script type="text/javascript" src="../../../../../../jquery/jszip-utils/dist/jszip-utils.min.js"></script>
<!--[if IE]>
<script type="text/javascript" src="../../../../../../jquery/jszip-utils/dist/jszip-utils-ie.min.js"></script>
<![endif]-->
<script type="text/javascript" src="../../../../../../jquery/jquery-3.5.1.js"></script>
<script type="text/javascript" src="../../../../../../jquery/jquery-ui.js"></script>
</head>
<body>
<script type="text/javascript"><!--
    try {
        if (location.href.indexOf('is-external=true') == -1) {
            parent.document.title="ContentSecurityPolicyHeaderWriter (spring-security-docs 5.6.3 API)";
        }
    }
    catch(err) {
    }
//-->
var data = {"i0":10,"i1":10,"i2":10,"i3":10};
var tabs = {65535:["t0","All Methods"],2:["t2","Instance Methods"],8:["t4","Concrete Methods"]};
var altColor = "altColor";
var rowColor = "rowColor";
var tableTab = "tableTab";
var activeTableTab = "activeTableTab";
var pathtoroot = "../../../../../../";
var useModuleDirectories = true;
loadScripts(document, 'script');</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
<header role="banner">
<nav role="navigation">
<div class="fixedNav">

<div class="topNav"><a id="navbar.top">

</a>
<div class="skipNav"><a href="ContentSecurityPolicyHeaderWriter.html#skip.navbar.top" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.top.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_top">
<li><a href="../../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<ul class="navListSearch">
<li><label for="search">SEARCH:</label>
<input type="text" id="search" value="search" disabled="disabled">
<input type="reset" id="reset" value="reset" disabled="disabled">
</li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_top");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.top">

</a></div>

</div>
<div class="navPadding">&nbsp;</div>
<script type="text/javascript"><!--
$('.navPadding').css('padding-top', $('.fixedNav').css("height"));
//-->
</script>
</nav>
</header>

<main role="main">
<div class="header">
<div class="subTitle"><span class="packageLabelInType">Package</span>&nbsp;<a href="package-summary.html">org.springframework.security.web.header.writers</a></div>
<h2 title="Class ContentSecurityPolicyHeaderWriter" class="title">Class ContentSecurityPolicyHeaderWriter</h2>
</div>
<div class="contentContainer">
<ul class="inheritance">
<li>java.lang.Object</li>
<li>
<ul class="inheritance">
<li>org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter</li>
</ul>
</li>
</ul>
<div class="description">
<ul class="blockList">
<li class="blockList">
<dl>
<dt>All Implemented Interfaces:</dt>
<dd><code><a href="../HeaderWriter.html" title="interface in org.springframework.security.web.header">HeaderWriter</a></code></dd>
</dl>
<hr>
<pre>public final class <span class="typeNameLabel">ContentSecurityPolicyHeaderWriter</span>
extends java.lang.Object
implements <a href="../HeaderWriter.html" title="interface in org.springframework.security.web.header">HeaderWriter</a></pre>
<div class="block"><p>
Provides support for <a href="https://www.w3.org/TR/CSP2/">Content Security Policy
(CSP) Level 2</a>.
</p>
<p>
CSP provides a mechanism for web applications to mitigate content injection
vulnerabilities, such as cross-site scripting (XSS). CSP is a declarative policy that
allows web application authors to inform the client (user-agent) about the sources from
which the application expects to load resources.
</p>
<p>
For example, a web application can declare that it only expects to load script from
specific, trusted sources. This declaration allows the client to detect and block
malicious scripts injected into the application by an attacker.
</p>
<p>
A declaration of a security policy contains a set of security policy directives (for
example, script-src and object-src), each responsible for declaring the restrictions
for a particular resource type. The list of directives defined can be found at
<a href="https://www.w3.org/TR/CSP2/#directives">Directives</a>.
</p>
<p>
Each directive has a name and value. For detailed syntax on writing security policies,
see <a href="https://www.w3.org/TR/CSP2/#syntax-and-algorithms">Syntax and
Algorithms</a>.
</p>
<p>
This implementation of <a href="../HeaderWriter.html" title="interface in org.springframework.security.web.header"><code>HeaderWriter</code></a> writes one of the following headers:
</p>
<ul>
<li>Content-Security-Policy</li>
<li>Content-Security-Policy-Report-Only</li>
</ul>
<p>
By default, the Content-Security-Policy header is included in the response. However,
calling <a href="ContentSecurityPolicyHeaderWriter.html#setReportOnly(boolean)"><code>setReportOnly(boolean)</code></a> with <code>true</code> will include the
Content-Security-Policy-Report-Only header in the response. <strong>NOTE:</strong> The
supplied security policy directive(s) will be used for whichever header is enabled
(included).
</p>
<p>
<strong> CSP is not intended as a first line of defense against content injection
vulnerabilities. Instead, CSP is used to reduce the harm caused by content injection
attacks. As a first line of defense against content injection, web application authors
should validate their input and encode their output. </strong>
</p></div>
<dl>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>4.1</dd>
</dl>
</li>
</ul>
</div>
<div class="summary">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.summary">

</a>
<h3>Constructor Summary</h3>
<table class="memberSummary">
<caption><span>Constructors</span><span class="tabEnd">&nbsp;</span></caption>
<tr>
<th class="colFirst" scope="col">Constructor</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr class="altColor">
<th class="colConstructorName" scope="row"><code><span class="memberNameLink"><a href="ContentSecurityPolicyHeaderWriter.html#%3Cinit%3E()">ContentSecurityPolicyHeaderWriter</a></span>()</code></th>
<td class="colLast">
<div class="block">Creates a new instance.</div>
</td>
</tr>
<tr class="rowColor">
<th class="colConstructorName" scope="row"><code><span class="memberNameLink"><a href="ContentSecurityPolicyHeaderWriter.html#%3Cinit%3E(java.lang.String)">ContentSecurityPolicyHeaderWriter</a></span>&#8203;(java.lang.String&nbsp;policyDirectives)</code></th>
<td class="colLast">
<div class="block">Creates a new instance</div>
</td>
</tr>
</table>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.summary">

</a>
<h3>Method Summary</h3>
<table class="memberSummary">
<caption><span id="t0" class="activeTableTab"><span>All Methods</span><span class="tabEnd">&nbsp;</span></span><span id="t2" class="tableTab"><span><a href="javascript:show(2);">Instance Methods</a></span><span class="tabEnd">&nbsp;</span></span><span id="t4" class="tableTab"><span><a href="javascript:show(8);">Concrete Methods</a></span><span class="tabEnd">&nbsp;</span></span></caption>
<tr>
<th class="colFirst" scope="col">Modifier and Type</th>
<th class="colSecond" scope="col">Method</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr id="i0" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="ContentSecurityPolicyHeaderWriter.html#setPolicyDirectives(java.lang.String)">setPolicyDirectives</a></span>&#8203;(java.lang.String&nbsp;policyDirectives)</code></th>
<td class="colLast">
<div class="block">Sets the security policy directive(s) to be used in the response header.</div>
</td>
</tr>
<tr id="i1" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="ContentSecurityPolicyHeaderWriter.html#setReportOnly(boolean)">setReportOnly</a></span>&#8203;(boolean&nbsp;reportOnly)</code></th>
<td class="colLast">
<div class="block">If true, includes the Content-Security-Policy-Report-Only header in the response,
otherwise, defaults to the Content-Security-Policy header.</div>
</td>
</tr>
<tr id="i2" class="altColor">
<td class="colFirst"><code>java.lang.String</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="ContentSecurityPolicyHeaderWriter.html#toString()">toString</a></span>()</code></th>
<td class="colLast">&nbsp;</td>
</tr>
<tr id="i3" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="ContentSecurityPolicyHeaderWriter.html#writeHeaders(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)">writeHeaders</a></span>&#8203;(javax.servlet.http.HttpServletRequest&nbsp;request,
javax.servlet.http.HttpServletResponse&nbsp;response)</code></th>
<td class="colLast">
<div class="block">Create a <code>Header</code> instance.</div>
</td>
</tr>
</table>
<ul class="blockList">
<li class="blockList"><a id="methods.inherited.from.class.java.lang.Object">

</a>
<h3>Methods inherited from class&nbsp;java.lang.Object</h3>
<code>clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait</code></li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
<div class="details">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.detail">

</a>
<h3>Constructor Detail</h3>
<a id="&lt;init&gt;()">

</a>
<ul class="blockList">
<li class="blockList">
<h4>ContentSecurityPolicyHeaderWriter</h4>
<pre>public&nbsp;ContentSecurityPolicyHeaderWriter()</pre>
<div class="block">Creates a new instance. Default value: default-src 'self'</div>
</li>
</ul>
<a id="&lt;init&gt;(java.lang.String)">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>ContentSecurityPolicyHeaderWriter</h4>
<pre>public&nbsp;ContentSecurityPolicyHeaderWriter&#8203;(java.lang.String&nbsp;policyDirectives)</pre>
<div class="block">Creates a new instance</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>policyDirectives</code> - maps to <a href="ContentSecurityPolicyHeaderWriter.html#setPolicyDirectives(java.lang.String)"><code>setPolicyDirectives(String)</code></a></dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>java.lang.IllegalArgumentException</code> - if policyDirectives is null or empty</dd>
</dl>
</li>
</ul>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.detail">

</a>
<h3>Method Detail</h3>
<a id="writeHeaders(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>writeHeaders</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;writeHeaders&#8203;(javax.servlet.http.HttpServletRequest&nbsp;request,
                         javax.servlet.http.HttpServletResponse&nbsp;response)</pre>
<div class="block"><span class="descfrmTypeLabel">Description copied from interface:&nbsp;<code><a href="../HeaderWriter.html#writeHeaders(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)">HeaderWriter</a></code></span></div>
<div class="block">Create a <code>Header</code> instance.</div>
<dl>
<dt><span class="overrideSpecifyLabel">Specified by:</span></dt>
<dd><code><a href="../HeaderWriter.html#writeHeaders(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)">writeHeaders</a></code>&nbsp;in interface&nbsp;<code><a href="../HeaderWriter.html" title="interface in org.springframework.security.web.header">HeaderWriter</a></code></dd>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>request</code> - the request</dd>
<dd><code>response</code> - the response</dd>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><a href="../HeaderWriter.html#writeHeaders(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)"><code>HeaderWriter.writeHeaders(javax.servlet.http.HttpServletRequest,
javax.servlet.http.HttpServletResponse)</code></a></dd>
</dl>
</li>
</ul>
<a id="setPolicyDirectives(java.lang.String)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setPolicyDirectives</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setPolicyDirectives&#8203;(java.lang.String&nbsp;policyDirectives)</pre>
<div class="block">Sets the security policy directive(s) to be used in the response header.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>policyDirectives</code> - the security policy directive(s)</dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>java.lang.IllegalArgumentException</code> - if policyDirectives is null or empty</dd>
</dl>
</li>
</ul>
<a id="setReportOnly(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setReportOnly</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setReportOnly&#8203;(boolean&nbsp;reportOnly)</pre>
<div class="block">If true, includes the Content-Security-Policy-Report-Only header in the response,
otherwise, defaults to the Content-Security-Policy header.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>reportOnly</code> - set to true for reporting policy violations only</dd>
</dl>
</li>
</ul>
<a id="toString()">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>toString</h4>
<pre class="methodSignature">public&nbsp;java.lang.String&nbsp;toString()</pre>
<dl>
<dt><span class="overrideSpecifyLabel">Overrides:</span></dt>
<dd><code>toString</code>&nbsp;in class&nbsp;<code>java.lang.Object</code></dd>
</dl>
</li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
</div>
</main>

<footer role="contentinfo">
<nav role="navigation">

<div class="bottomNav"><a id="navbar.bottom">

</a>
<div class="skipNav"><a href="ContentSecurityPolicyHeaderWriter.html#skip.navbar.bottom" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.bottom.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_bottom">
<li><a href="../../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_bottom");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="ContentSecurityPolicyHeaderWriter.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.bottom">

</a></div>

</nav>
</footer>
<script>if (window.parent == window) {(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create', 'UA-2728886-23', 'auto', {'siteSpeedSampleRate': 100});ga('send', 'pageview');}</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"7040d747bdbc980c","token":"bffcb8a918ae4755926f76178bfbd26b","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
